logo

Dive into Apple IO80211FamilyV2

Conference:  BlackHat USA 2020

2020-08-06

Summary

The presentation discusses vulnerabilities found in the Wi-Fi subsystem family version 2 on Apple platforms and the importance of using the Apple SDK for reverse engineering.
  • Vulnerabilities found in the Wi-Fi subsystem family version 2 on Apple platforms
  • Importance of using the Apple SDK for reverse engineering
  • Anecdote about a vulnerability introduced in v2 when porting existing features from v1
  • Demonstration of a vulnerability that allows for extraction of information before initialization
The presenter found a vulnerability in the Wi-Fi subsystem family version 2 that was introduced when porting existing features from v1. The vulnerability allowed for the extraction of information before initialization, which could include kernel data and function pointers. The presenter also demonstrated a vulnerability that allowed for the extraction of information before initialization, which could be used to detect HIP data or memory layout. These vulnerabilities highlight the importance of using the Apple SDK for reverse engineering to identify and address potential security issues.

Abstract

Starting from macOS Catalina Beta, Apple refactored the architecture of the 80211 Wi-Fi client drivers and renamed the new generation design to IO80211FamilyV2. Compared with IO80211Family (V1), modules such as Version 2 and AppleBCMWLANCore integrate the original AirPortBrcm series drivers and further expand features such as Sidecar and Skywalk. These latest changes provide better support and protection for communication and data sharing between devices. Of course, we should also realize that new features are always accompanied by new vulnerabilities and potential risks of being attacked.This research will delve into each of the affected Wi-Fi kernel components and explore new attack surfaces. We will also share with you more than a dozen zero-day vulnerabilities, which can be classified into at least four categories from the high level of the architecture:Vulnerabilities affecting only V1. In other words, V2 fixes vulnerable functions. Unfortunately, these important improvements have not been synchronized with other system platforms, so we can use them to attack targets like the latest macOS High Sierra and Mojave.Vulnerabilities affecting only V2. In short, developers mistakenly introduced security flaws into Catalina when porting existing V1 functions.Vulnerabilities that affect both V1 and V2.Vulnerabilities in the new features of V2. In fact, many codes have not been rigorously audited and tested. Through these brand new cases, this presentation will help you better understand the design and security challenges of Apple's 80211 Wi-Fi subsystem.

Materials:

Tags: